Описание
SQL Injection in sequelize
Versions 2.0.0-rc-7 and earlier of sequelize are affected by a SQL injection vulnerability when user input is passed into the order parameter.
Proof of Concept
Test.findAndCountAll({
where: { id :1 },
order : [['id', 'UNTRUSTED USER INPUT']]
})
Recommendation
Update to version 2.0.0-rc8 or later
Пакеты
Наименование
sequelize
npm
Затронутые версииВерсия исправления
<= 2.0.0-rc7
2.0.0-rc8
Связанные уязвимости
nvd
около 11 лет назад
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.